New Zealand’s National Cyber Security Centre (NCSC) has reported a rise in financial losses from cyber incidents in the third quarter of 2025 (Q3 2025), despite overall incident volumes staying close to previous levels. In its Cyber Security Insights report for the period July 1 to Sept. 30, 2025, the NCSC said it received 1,249 incident reports. Direct financial losses totalled $12.4 million, more than double the $5.7 million recorded in the previous quarter.
The centre said much of the increase was linked to a small number of high‑value business email compromise (BEC) incidents and altered payment instructions. “This quarter, we have received a number of reports of significant financial losses resulting from business email compromises. This is where a bad actor gains access to email accounts and then sends fake invoices or changes payment details to redirect payments to their bank account,” said NCSC chief operating officer Mike Jagusch. For insurers, brokers, and risk managers, the figures indicate higher average losses per incident in certain case types, particularly those involving compromised email accounts and diverted payments, rather than a surge in total incident numbers.
The NCSC reported an increase in incidents requiring specialist technical support. Of the 1,249 cases in Q3, 110 were triaged as being of potential national significance, compared with 56 in Q2 2025. “A rise in unauthorised access to email accounts was one of the main drivers of this increase in potentially nationally significant incidents. Another reason was a general uptick in other malicious activity that we linked to cyber criminals and financially motivated actors,” Jagusch said.
The remaining 1,139 incidents in Q3 went through the NCSC’s general triage process, with reports coming mainly from individual users and New Zealand organisations. Scams and fraud remained the largest incident category, with 446 reports in Q3 and a continuous presence as the most reported type since Q4 2024. Phishing and credential harvesting was the second‑largest category, with 355 reports. For cyber underwriters, the combination of social engineering, BEC, and credential harvesting continues to signal exposure to direct financial loss, fraud‑related claims, and potential accumulation across insured portfolios.
The NCSC also noted increased reporting of incidents associated with malicious software during Q3. The latest report includes an article outlining recent changes in malware techniques and delivery models, together with NCSC recommendations for organisations. “The cyber threat landscape is evolving quickly. Malware is becoming much more sophisticated. For example, bad actors now offer malware-as-service platforms that give criminals who lack advanced technical skills the ability to deploy malicious software,” Jagusch said. For insurers and reinsurers, the wider availability of such tools may affect assumptions about threat actor capability, the likelihood of ransomware deployment, and the exposure of small and mid‑sized enterprises that may not previously have been prominent targets.
The Q3 results sit alongside the NCSC’s Q2 2025 findings for April 1 to June 30, when 1,315 incidents were reported – slightly more than in Q3 – but with lower financial impact. Q2 direct financial losses were $5.7 million, down from $7.8 million in Q1 2025. In Q2, scams and fraud were again the most reported incident category with 514 cases, followed by phishing and credential harvesting with 374 reports. Of the 1,315 incidents, 56 were assessed as potentially nationally significant and were escalated for specialist support. The Q2 report focused on social engineering directed at helpdesks and support channels. “We are seeing a type of attack where a cybercriminal calls up an organisation’s helpdesk and pretends to be a staff member who needs help getting access to their account,” Jagusch said.
According to the NCSC, attackers can then use that access to download data or deploy ransomware. “They use social engineering techniques to sound more convincing. This might be using a sense of urgency, appealing to authority, or tricking you into feeling sympathy towards them,” Jagusch said. A Q2 case study described an attempted infiltration of a New Zealand organisation by a “sophisticated actor,” with the NCSC later confirming that no data was taken where strong passwords, multi‑factor authentication, and network segmentation had been implemented.
Taken together, the Q2 and Q3 2025 data point to persistent scam and phishing activity, ongoing use of social engineering, and higher reported loss values in certain incidents. For New Zealand insurance professionals, the findings are likely to feed into cyber underwriting assumptions, pricing for BEC and fraud‑related covers, and expectations around email security, authentication controls, and incident readiness across insured clients.
